8 Jan
2019
8 Jan
'19
7:47 p.m.
On 1/8/19 8:39 PM, Fred Cisin via cctalk wrote:
3 failures is not enough for some legitimate human
failings.
There's a high chance for false positives there.
I occasionally will forget a password, and make 4 or 5
tries; and then,
a few days later, remember it.
I wonder if it's three password attempts (likely in a single connection)
or three failed connections.
I could see how three failed connections would suffice, as that would be
nine password attempts.
So, I MUCH prefer the concept of a logarithmically
increasing lockout,
starting small. Maybe as little as a millisecond, to permit a REASONABLE
number of "maybe it was...", but thoroughly block brute force and
dictionary/list attempts.
I created a fancy IPTables rule set that used the recent match extension
to dynamically (in kernel without any files on the drive) produce back
out period. I don't remember the exact count of things, or the timings.
But I do recall that it was something like 5 minutes, 30 minutes, 1
hour, 1 day, 1 week, 1 month, 1 year. I don't think I had permanent.
(Maybe I did. It's been 15+ years.)
--
Grant. . . .
unix || die